3.1.

1 AAA Overview
Network intruders can potentially gain access to sensitive network equipment and services. Access
control limits who or what can use specific resources as well as the services or options available once
access is granted. Many types of authentication methods can be performed on a Cisco device, and each
method offers varying levels of security.

The simplest form of authentication is passwords. This method is configured using a login and password
combination on console, and vty lines and aux ports. This method is the easiest to implement, but it is
also the weakest and least secure. Password-only logins are very vulnerable to brute-force attacks.
Additionally, this method provides no accountability. Anyone with the password can gain entry to the
device and alter the configuration.

To help provide accountability, local database authentication may be implemented using one of the
following commands:

username username password password
username username secret password

This method creates individual user accounts on each device with a specific password assigned to each
user. The local database method provides additional security, because an attacker is required to know a
username and a password. It also provides more accountability, because the username is recorded
when a user logs in. Keep in mind that the username password command combination displays the
password in plaintext in the configuration file if the service password-encryption command is not
configured. The username secret combination is highly recommended because it provides MD5-style
encryption.

The local database method has some limitations. The user accounts must be configured locally on each
device. In a large enterprise environment that has multiple routers and switches to manage, it can take
time to implement and change local databases on each device. Additionally, the local database
configuration provides no fallback authentication method. For example, what if the administrator
forgets the username and password for that device? With no backup method available for
authentication, password recovery becomes the only option.

A better solution is to have all devices refer to the same database of usernames and passwords from a
central server. This chapter explores the various methods of securing network access using
Authentication, Authorization, and Accounting (AAA) to secure Cisco routers.
Password Only Methods

Local Database Method

AAA network security services provide the primary framework to set up access control on a network
device. AAA is a way to control who is permitted to access a network (authenticate), what they can do
while they are there (authorize), and to audit what actions they performed while accessing the network
(accounting). It provides a higher degree of scalability than the con, aux, vty and privileged EXEC
authentication commands alone.

Network and administrative AAA security in the Cisco environment has several functional components:

Authentication - Users and administrators must prove that they are who they say they are.
Authentication can be established using username and password combinations, challenge and
response questions, token cards, and other methods. For example: "I am user 'student'. I know
the password to prove that I am user 'student'."
Authorization - After the user is authenticated, authorization services determine which
resources the user can access and which operations the user is allowed to perform. An example
is "User 'student' can access host serverXYZ using Telnet only."
Accounting and auditing - Accounting records what the user does, including what is accessed,
the amount of time the resource is accessed, and any changes that were made. Accounting
keeps track of how network resources are used. An example is "User 'student' accessed host
serverXYZ using Telnet for 15 minutes."

This concept is similar to the use of a credit card. The credit card identifies who can use it, how much
that user can spend, and keeps account of what items the user spent money on.